jChains

nEws

• 09.04.04 - jChains sources added

• Get the Sources from the official jchains source codedirectory !

  • 29.01.04 - jChains has a GUI now (see screenshots below)

  dEscription

  This custom security manager framework records the permissions needed for the codebases (jars) of j2se applications running under access control of a security manager. The resulting policy file is recorded while running the program and is useful as a starting point when developing a security policy for a java application. When run against libraries when source is not available it is useful for reverse engineering, revealing the permission needed to use the libraries. This is helpful when you do not trust the jar , and do not want to grant it the AllPermission free ride ticket.

  
  

  fIles

  In order to get familiar with the classes, please spend a look for the javadoc-files. An initial release can be found in the following ia.zip file,source code will be released when code cleanup is completed.

  sAmples

  • This link provides a sample output of jchains when running against jedit 4.1.
  • This link provides a sample output of jchains when running against jboss3.2.1 (first 64k)

  uSage

  1. In order to use jchains you first need to setup a CORBA orb infrastructure, so start the ORB demon with orbd
     orbd -ORBInitialPort 1050 -serverPollingTime 200
  2. Then register the CORBA receiver in the persistent CORBA server manager servertool
     servertool -ORBInitialPort 1050
  3. Inside servertool register the receiver with
     register -server org.illegalaccess.jchains.receiver.Receiver -applicationName PermissionTransfer -classpath ia.zip
  Now you have setup the receiver, now you start the application from which you want to squeeze out the needed permission
  • Basically you just need to put the ia.zip in the classpath and set the following environment variables
    
  • -Dorg.illegalaccess.emitClass=org.illegalaccess.jchains.intercept.CORBAEmitter
  • -Dorg.illegalaccess.jchains.outputfile=jbossout.txt
  • -Dorg.illegalaccess.jchains.CNameServiceIOR=corbaloc::localhost:1050/NameService
  • -Djava.security.manager=org.illegalaccess.jchains.intercept.JChainsSecInterceptor
  • This file is the startup file I used to retrieve the needed permissions for jboss 3.2.1

  sCreenshots

  • 
    The Execution Environment
  • 
    The Status Dashboard
  • 
    The Permission Request Logs
  • 
    The Policy File

  mOre iNformation

  
  For more information please contact me at marc(at)marc-schoenefeld.de

  lInks oN jAva sEcurity

  • www.lsd-pl.net has found interesting stuff about classloader spoofing and has an impressing history on netscape java bugs
  • www.illegalaccess.org lists some security problems with jdk and jboss
  • java.sun.com/security/ shows you that Sun is aware of all problems (known to them :-)
  • The latest available document about the Java 2 Security Architecture was written in 1998 has not been replaced by an updated version since then

  cOverage

  • On Ibiblio Java FAQ
  • From the Norwegian site JavaBin: Marc Schoenefeld har skrevet JChains, som er en egenutviklet security manager. JChains legger seg som en proxy i sikkerhetsrammeverket og registrerer hvilke rettigheter forskjellige j2se applikasjonene trenger for å kjøre. Dette er en stor fordel (les: mye sikrere) i forhold til AllPermission strategien endel java applikasjoner leveres med.
  • jchains is listed on Freshmeat

  sUpport

  • If you like to support this work, you may starting your book, music, dvd and other utility shopping from this link to amazon.com.
  • Show long list of books about Java
  • Show long list of books about Secure Programming
  • Show long list of books about JMX
  • Show long list of books about JBoss
  • Show long list of books about J2EE
  • Show long list of books about Common Criteria
  • Show long list of books about Cryptography
  • Show long list of books about Hacking
  • Show long list of books about Computer Security in general
  • Show long list of books about Distributed Systems